Aerospace Systems “A Risky Business” 
Understanding the Need for a Mature Risk 
Management Framework 


NSBE Aerospace Systems Conference we 
August 2016 








Prepared By: 
Jeneene Suttle 
Marshall Space Flight Center 








4 Aerospace Systems 
* «A Risky Business” 


wn) Risk Management Forum 








Understanding the Need for a 
Mature Risk Management Framework 





Purpose: To share basic risk management principles and 
philosophy, as well as, NASA approach to risk management 
procedures. 
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Madelyn Jeneene 
Suttle 


Background 








30 years of Aerospace/Technical 
Management experience with 
NASA including SMA Risk 
Manager, Export Control, 
Independent Assessments, 
system Safety, Environmental, 
Earned Value Management & Risk 
Management and Project Manager 
for Space Product Development 
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After completing this training, you will be able to: 

» Understand the general definition of risk 

» Understand the Risk Management (RM) Philosophy 
» Explain the importance of RM 

» Perform risk identification, analysis, and mitigation 


» Ability to communicate RM to others 
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Risk is the intentional 


interaction with 
uncertainty. Known = oS 


a 


Pe 






The likelihood of 
suffering a negative 
consequence. 
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What is Risk 





The potential inability to achieve success within defined 
cost, schedule, and technical constraints, measured 
using two components: 





The likelihood (or probability) of failing to achieve a 
desired outcome, and 7 





The consequence (or impact) of failing to achieve that 
desired outcome. 
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» Uncertainty is a potential, unpredictable, and 
uncontrollable outcome; risk is a consequence of 
action taken In spite of uncertainty. 





Risk vs Uncertaint 








Risk Uncertainty 
» Consequence of action taken in » Potential, unpredictable, and 
Spite of uncertainty uncontrollable outcome 
» The effect of uncertainty on » Risks, Unknowns, Threats, 
objectives) Traps, Danger, Variables, 
Ambiguity, Gain and 
Opportunities 


>» Risks are uncertainties that 


nave an impact on the goals » All uncertainties are not risks 


» All risks are uncertainty 


All risk are uncertainty Some uncertainties do 
darchmmanrelaceis not matter 
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_! Speculative 


= Provides the potential for gain as well as the potential for loss 
= Brings the potential to improve the current situation relative to the status quo 


_) Hazard 


= Provides no opportunity to improve upon the current situation 
= Brings only the potential for loss 


GAIN 


Status Quo 

















LOSS 


MY MY 


Speculative Hazard 
Perspective Perspective 





yx ‘What is Opportunity 


wn) Risk Management Forum 


Opportunity 








_) The likelihood of realizing a gain from an allocation or reallocation of resources 
" Defines a set of circumstances that provides the potential for a desired gain 
= Requires an investment or action to realize the desired gain (1.e., take advantage 
of the opportunity) 


_ITactical opportunity provides a localized gain (e.g., to program or part 
of a program) 


_! Business opportunity is a gain for the organization 
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An opportunity is an uncertain event or condition 
that, 1f 1t occurs, will have a positive effect on one 
or more of the project objectives, such as cost, 

schedule and/or technical performance objectives. 
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Strategies for Identifying Opportunities 


I) 





Strategies for identifying opportunities: A number of strategies exist to help 
identify new opportunities and to give consideration to those that have been 
neglected because of perceived, but unexamined, risk. Some of these 
strategies include: 





= |.earning from the past: While past experience cannot necessarily be a predictor of 
future performance, signals that were ignored, missed opportunities, and business 
surprises can provide insight into organizational blind spots 


= Customer sensitivity: Trying to understand customers in a way that the competition 
does not, and creating systems to exploit this information, can lead to great gains 


= Learning from others: The adage, “A wise person learns from experience, but a wiser 
person learns from the experience of others,” holds as true in business as it does in life 


= Scanning: Active scanning of the business environment, potential competitors, or rival 
technologies is critical to successfully seizing opportunities and combating risk 
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Integrated Risk and Opportunity Analysis 





Systemic View 





Drivers 


Tactical 


_) A mission risk is a circumstance that has the potential to cause loss from the 
business or mission perspective 


_! A mission opportunity is a circumstance that has the potential to provide a 
gain from the business or mission perspective 
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Sources of Opportunity 


_! Sources of Opportunity: Opportunities can arise from areas within the organization 
and externally, as illustrated in Exhibit 2. 
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4 
Opportunity Management 
Managing Opportunities 


_) Assessing, and potentially altering, the organization’s risk appetite is a first step in 
managing opportunities related to risk. 


_! A program/project/organizational unit’s risk appetite is heavily influenced by its culture 
and changes over time. 


_| Risk appetite should be defined and agreed upon at least annually, and ahead of assessing 
individual risks and opportunities. 


_!| Sometimes shifting risk appetite is necessary to capturing opportunities. This shift can be 
accomplished by developing the capacity to accept more risk, thereby shifting the risk 
appetite boundary in Exhibit 3. 












Risk Appetite Tolerance 


























UNMITIGATED RISK ALTERED RISK APPETITE 
High | High 
S| __ IL = _ 
Ee = 
—_ “— 
ae s oh 
Low Risk Frequency High Low Risk Frequency High 
The diagonal line represents the The diagonal line represents the com- 
company’s risk appetite. pany’s risk appetite, shifted through 


AX penence, supenor tools, etc. 


Source: “A Building- Block Approach for Implementing COSi0% Eeterpree Rick Macagemeu— 
Ietegrated Framework,” br Boum Ballou and Dan Heteerr, Management Accoamong Quarter: 
Wirter 20005, 








Neaative vs Positive 





Risk Opportunity 
A risk is a circumstance that A opportunity is a 
has the potential to cause circumstance that has the 
loss from the business or potential to provide a gain 
mission perspective from the business or 


mission perspective 


Gee eee TL OEE 


block the path to success enhance the path to 
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The process of identifying, assessing, controlling, risks 
arising form operational factors and making decisions 
that balance the risk cost with mission benefit. 


The identification, assessment, and prioritization of 
risks followed by coordinated and economical 
application of resources to minimize, monitor, and 
control the probability and/or impact of unfortunate 
events[1] or to maximize the realization of 
opportunities. 


> 





Ke Risk Management 


wn) Risk Management Forum 





Risk management refers to a coordinated set of 
activities and methods that is used to direct an 
organization and to control the many risks that can 
aitect its ability to achieve objectives. 


According to ISO 31000 2009, the term risk 
management also refers to the architecture that is 
used to manage risk. This architecture includes risk 
management principles, a risk management 
framework, and a risk management process. 


> 
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» A discipline and science that has developed 
processes, procedures and tools. 

» A look at the future and the goal with focus 
on what really matters. 

» Risk management's objective is to assure 
uncertainty does not deflect the endeavor 
from the goals. 


> 





» Risk & Opportunity <9 
x Management Forum Mana ement er. 


_) Risk & Opportunity Management Process: The risk and opportunity management 
process provides a model with tools and techniques to foster and manage innovation 
within the risk management context for improved decision making as illustrated 
in Exhibit 1. 

_) This model builds on the knowledge and systems already employed in other risk 
management tools to focus on risks and opportunities to create growth and innovation. 








= dsllelime Risk & Opportunity 
Management Process 








Saurce: Adanasng Opporhaniuics and Risks 
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» Enterprise Risk Management (ERM) and 
Enterprise Risk and Opportunity Management 
(EROM) are synonymous terms used to 
address the natural desire of an organization 
to strike a reasonable balance between 
minimizing the potential for loss (risk) and 
maximizing the potential for gain 
(opportunity). These risks and opportunities 
are addressed within the context of 
implementing the organization's strategic 


j goals. 
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Additional Governance and Tools 
Risk Management Framework 

Risk Management Policy 

Risk Management Plan 

Risk Management Flowchart 

Risk Management Tools 

Risk Management Metrics 














4x) Why Risk Management? 


wn) Risk Management Forum 





» Surprises 
» Stuff happens 


> Nearly two thirds of all projects fail. 


>» Intuitive 


>» What really matters 
> The difference between success and failure. 
> Risk Management is too important not to do well! 


Success vs Failure 
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We must understand the Risk Level of the event or 
objective. 


Overall Program Risks are more than the sum of all risks. 
We think the process manages risks. People manage risk. 


We must understand risks and how people within the 
organization respond to risks. 


We can plan and monitor but we must make decisions. 


We must understand both Risk Informed Decision 
Making and Continuous Risk Management. 
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Columbia Accident Investigation 


Report (over 300 references to risks) 
“There is great risk in placing human beings atop a 
machine that stores and then burns millions of 
pounds of dangerous propellants. Equally risky is 
having humans then ride the machine back to Earth 
while it dissipates the orbital soeed by converting the 
energy into heat, much like a meteor entering Earth's 
atmosphere. No alternatives to this pathway to 
Space are available or even on the horizon, 

SO we must set our sights on managing this risky 
process using the most advanced and versatile 
techniques at our disposal.” 


It all starts with the decisions we make and the 
uncertainty in those decisions 
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The first airplane fatality tn 
history occurred September 
17, 1908, when Lt. Thomas 
Selfridge was killed ina 
plane accident caused by 
propeller separation. 


“All flight entails some measure 
of risk, and this has been the 
case since before the days of 
the Wright Brothers.” 


CA/B 


One of the 300+ references to risks in the CAIB 
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Rescue Operations 
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_ TRUCK & CRANE HIRE 
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Risk Level vs Risk List 





implicit Explicit 
» Risk Informed Decision » Continuous Risk 
Making (RIDM) Management (CRM) 
» To inform decision making” To anage risk 
through better use of risk associated with the 
information establishing implementation of 
requirements requirements 


OVAL. a Ree What are the Program 


Program? Risks? 
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» The subjective judgment people make about the 
severity and probability of a risk, and may vary 
person to person. Any human endeavor carries 
some risk, but some are much riskier than others. 
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» Responses to risk or uncertainty are directed related to 
the people. 


» Risk tolerance, attitude, awareness, assessment, 
assertion and acceptance effect the process. 


» Pursuit of an opportunity can produce new risks or 
issues and/or change existing risks or issues. 





4 Who is Managing Risks 








wn) Risk Management Forum 


© Stakeholders 

° Partners 

> Management 

© Contractors 

> NASA HQ 

© Centers 

> Program Offices 
© Projects 
> Teams 

© Everyone 
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» People manage risks not Processes. 
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> Key Players 





> Risk Manager: Shepherds the risk management process 


- Risk Owner: Leads implementation of agreed-upon risk 
disposition or escalation 


> Risk Initiator/Identifier: Identifies a potential risk concern 


> Program Manager: Critical player in making decisions 
concerning resources 


- Decision Maker: Makes risk-informed decisions 
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RIDM Functional Roles 


_) Stakeholder — An individual or organization that is materially affected by 
the outcome of a decision or deliverable but is outside the organization doing 
the work or making the decision. 








_! Risk Analyst — Applies probabilistic methods to the quantification of performance 
in the mission execution and institutional domains of safety, technical, cost, or schedule. 


_! Subject Matter Expert — An individual or organization with expertise in one or more 
topics within the mission execution domains of safety, technical, cost, or schedule. 


_) Technical Authority (TA) — The individuals within the technical authority process who are 
funded independently of a program or project and who have formally delegated TA 
traceable to the Administrator. The three organizations who have TA are Engineering, 
Safety & Mission Assurance, and Health and Medical. 
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RIDM Functional Roles (2) 


_) Decision Maker — A decision-maker is an individual with responsibility 
for decision-making within a particular organizational scope. 





_) Risk Manager — An individual with experience in risk and decision analysis 
and CRM who facilitates the implementation of RIDM and CRM, ensures staff 
members have adequate training, develops and maintains the RM Plan and other 
risk documentation, and coordinates RM matters with higher and lower-level 


organizations. 
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Two Complementary Processes for Risk Management 


_! Risk-Informed Decision Making (RIDM) 
= To inform decision making through better use of risk 
information in establishing baseline performance 
requirements (e.g., safety, technical, cost, and schedule 
requirements) for program/projects and mission support 
organizations 


_) Continuous Risk Management (CRM) 
= To manage risk associated with the implementation of 
baseline performance requirements 
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The RIDM Process Begins with 
Strategic Goals 








Within a organizational 

hierarchy, high-level objectives 
(Strategic Goals) flow down 

in the form of progressively more 
detailed performance requirements 
whose satisfaction assures that 
objectives are met 


RIDM is designed to maintain 

focus on strategic goals as decisio 
; ‘ba 

are made throughout the hierarchy In December ARP ke Journey to Mars took 


a huge leap forward with Orion's first flight, 
Exploration Flight Test-1. 
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The Risk-Informed Decision Making (RIDM) 
Process 





Risk-Informed Decision Making (RIDM) 


identification of Alternatives 
Identify Dectsion Altamatives (Recognizing 
Opparhuinities) in the Context of Objectives 


Risk Analysis of Alternatives 
Risk Analysis (Intagratead Perspective) and Relative 
Ranking of Decision Alternatives 


Risk-informing Altemative Selection 
Deliberate, Select an Alternative Informed by (reat 
Swen ase? off) The Risk Analysis Resulls and Set 
Baseline Performance Requirements 





To CRM 
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The RIDM Process 


_) Identification of decision alternatives (decision 
context) and considering a sufficient number 
and diversity of Performance Measures to 
constitute a comprehensive set for decision- 
making purposes 


_] Risk analysis of decision alternatives is 
defined as uncertainty 
analysis of performance associated with the 
alternative 


_) Selection of a decision alternative informed by 
(not solely on) Risk Analysis results 














Risk-Infonmed Decision Making (RIDM) 


Identification of Alternatives 
Identify Decision Alteamatives (Recognizing 
Opparhuinities| in the Comiext of Objectives 


Risk Analysis of Alternatives 
Risk Analysis (Integrated Perspective) and Relative 
Ranking of Decision Albernathives. 


Risk-informing Altemative Selection 
Deliberate, Select an Alternative Informed by (rat 
Sel ised Offi The Risk Analysis Resulls and Set 
Baseline Performance Requiraments 


To CRM 
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Risk Management 





The Continuous Risk Management (CRM) 


Process 


From RIDM 


Continuous Risk Management (CRM) 


| Communicate 
_, Document 








Steps in the CRM Process 











Identify 
Identify Risk Contributors (Shortfall in Performance 
Relative to Baseline Performance Requirements) 


eS 














Analyze 
Estimate Likelihood and Consequence Components of 
the Risk Through Analysis (Including Uncertainty 
Evaluation), Estimate Aggregate Risks if Feasible 


CRM 
Feedback 














Plan 
Decide on Risk Disposition and Handling, Develop 
and Execute Mitigation Plan, and Decide What Will 
be Tracked 














Track 


Track Observables Relating to Performance Measures 
(e.g., performance data, schedule variance, etc.) 








BEER HEBER HB BRE BBB BBB BRR RRR RRR RRR eee eee eee eee eee 
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Continuous Risk Management (CRM) 


A systematic and iterative process that efficiently 
identifies, analyzes, plans, tracks, controls, and communicates 
and documents risks associated with 
implementation of designs, plans, and processes. 


Source: NPR 8000.4A Agency Risk Management Procedural 
Requirements 
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What Does the CRM Risk Paradigm Represent? 








| alll ~&, . = NASAhas adopted the 
- ~_ se CRM Risk Paradigm 
which represents a six 
step, methodical, 
process for identifying 
and managing risks. 
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CRM STEP 1 — IDENTIFY wr cereery Potential Areas of 


Review milestones : 
Training requirements Risk 





Water and soil contamination 


Chemical release 

Air quality om ( 
Travel requirements — 
Funding cycle 


Facilities and Equip 






Hardware 

Software 

On-Orbit operations 
Ground operations 








Sa Risk Statfing 
Cost/ & Management People Skills mix/critical areas 
‘ Training 
Ergonomics 
Political 


Electrical hazards 
PPE 

Safety inspections 
Center-wide training 


ly 


As-built versus as-designed 
Hardware/Software interfaces 
Process Control 45 
Obsolescence 
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CRM STEP 1 — IDENTIFY 
Risk Statement 








_) Must be a Fact or perceived to be Fact 
_) Must be reality based 


“GIVEN orn > CONSEQUENCE. will occur. 


_) Must have a Negative impact to the Condition 


The condition-consequence format is more concise and gets closer to an actionable statement that 





gets the risk management activity moving in the right direction. A good risk statement must be 
ACTIONABLE and have ONE condition and ONE consequence per statement. The “Risk 
Statement” should be 25 words or less. 





° ) = | 
~ Risk Management 
CRM STEP 2 —- ANALYZE (4) 
Timeframe 


_) An estimate of the earliest time that the CONSEQUENCE can possibly occur so 
that mitigation can be accomplished sooner. 








_) Based on relevant documentation, including schedule information, and 
individual or group expert knowledge. 


_) Aids the prioritization of individual “risks” — near-term “risks” must be worked 
first. 








Pee 
CUT METIS 
ofa Program 


WHC IT 
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CRM STEP 4 - Plan 


Accept A “risk may be accepted when: 
¢ It is not significant enough to justify expenditures 
¢ The Project is willing to accept the consequence 
¢ It meets the organizational unit’s criteria for acceptance 


Invoke a Contingency Plan A contingency plan is invoked when a trigger has been exceeded or when some other 
related action needs to be taken. The “risk” and its mitigation plan continue to be 
tracked after the contingency plan has been executed 


Mitigate A new or modified plan is required when: 
¢ The threshold value has been exceeded 
¢ Analysis of the indicators shows that the action plan is not working 
¢ An unexpected adverse trend 1s discovered 


Watch No action is taken when the analysis of the tracking data indicates that all is going as 
expected and when the project personnel decide to continue tracking the “risk” or 
mitigation plan as before 
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Decision Rationale for Decision 


Research More research is warranted when: 
¢ The uncertainty is so large that a reasonably robust decision cannot be made 
¢ The uncertainties can be reduced through research sufficiently to make a 
robust decision 


Elevate A “risk” decision should be elevated when: 
¢ The “risk” can no longer be controlled within the present organizational unit 
¢ The new or modified plan requires significant changes that affect multiple 
organizational units 
¢ A change in performance requirements may be required in order to retire 
a “risk” 
Close A “risk” is closed when it no longer exists or it 1s no longer cost-effective to track 
as arisk. This occurs when: 
¢ The probability has been reduced below a defined threshold 
¢ The impact has been reduced below a defined threshold 
¢ The “risk” has become a problem and 1s now tracked as such 
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LIKELIHOOD RATING ea 


Ir Near 0 to 6 months 
Very Likely Expected to happen A 
Nee 6 to 12 months 


A Could happen. Controls have significant limitations or , 
Likely uncertainties. ( e } 

3 Could happen. Controls exist, with some limitations or ; | 

Possible uncertainties. Far > 12 months 
2 Not expected to happen. Controls have minor limitations 

Unhkely or uncertainties. 
1 Highly Extremely remote possibility that it will happen. Strong 

Unlikely controls in place. 


Consequence Rating I Moderate Significant Catastrophic 


-First aid incident or damage to minor |} Short-term injury, impairment or - Long-term injury, impairment or - Permanent serious injury, impairment |- May cause loss of life 
asset incapacitation. Minor damage to major |incapacitation. Significant damage to _ jor incapacitation. Loss of major asset. |- Significant release to the environment 
- - Release to the environment causing |asset or loss of minor asset. Minor major asset or loss of major asset. Major OSHA violation causing irreparable impacts or damage 
insignificant to no impacts or damage |OSHA violation - Moderate OSHA violation - Significant release to the environment |to natural or cultural resources or 
to natural or cultural resources. Release to the environment causing - Release to the environment causing __|causing substantial impacts or damage violation resulting in loss of 

SAFETY moderate impacts or damage to natural |significant impacts or damage to to natural or cultural resources or a environmental permit 

or cultural resources or a Regulatory [natural or cultural resources or a violation with major fine. 


Health, Safety, Quality & Environment 
warning. violation with minor fine. 


Minor impact to programmatic and Moderate impact to programmatic and |Significant impact to programmatic and|Major impact to programmatic and Failure to meet customer requirements. 
i. - technical support, human capital, technical support, human capital, technical support, human capital, technical support, human capital, Failure to meet major goal or objective 
Mission Success/ Supportability — |anability and diversity. Minor impact |capability and diversity. Minor impact [capability and diversity. Significant _|capability and diversity. Significant 


(Human oe Facilities, to facilities and infrastructure to facilities and infrastructure impact to facilities and infrastructure _ |impact to facilities and infrastructure 
Infrastructure) 


Minor milestone slip < 1 week: Critical [Minor milestone slip > 1 week to<1 [Major milestone slip > 1 month to <2 |Major milestone slip > 2 months: Cancellation of project due to schedule 
month: Critical Path slip 1 week -1 months: Critical Path slip 1 - 2 months [Critical Path slip 2 - 6 months overruns 
month 


< 1% increase of budget or < $100K —_|1-5% increase of budget or $100K to |5-10% increase of budget or $1M to 10-20% increase of budget or $10M to |Cancellation of project due to budget 
COST increase $1M increase $10M increase $50M increase overruns 


SCHEDULE 
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CRM STEP 4-— TRACK 
Tracking & Reporting on Risk Mitigation 





_) Risk mitigation plans are often broken down into specific actionable steps. 

_) Risk reduction associated with each step is evaluated and progress tracked over time. 

_! Best practice is to track both predicted and actual effect of each step as well as 
anticipated and actual data of step completion. 

_! Examples below show various methods of presenting this information 


Risk Assessment Code (RAC) 
RISK MATRIX 


Table Format 


branch Chiefs and Element 
&MA Officers (CSOs) to Pak 6/10/08 7 
Independent assessment of 
nofLevel 2 S&MA 
ents into Level 3 and subs 
s to identify gaps 
ta week-long SR&QA 
ments Forum led by CxP = 6/17/08 | 6/17/08 
. Manager (Carlos Noriega) 
fy and eliminate 
ssary cost drivers and 
agreement on minimum set 
fA Requirements. 


ent reached to delete 
- ately 10 SR&QA a - 7 

CONSE QUE i | be ents and agreed to tailoring 

ements and a reduction in 

scope on several requirements 

CRs are being generated to |= 
delete/or tailor the requirements as pany 12/31/08 
agreed at the Requirements Forum. 
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Different Interpretations of Communication 
If told to “Secure the building” ... 





>» The Army will establish a guard post and post sentries... 


» The Marines will assault the building, capture the occupants, and 
set up a defensive perimeter... 


>» The Navy will turn out the lights, lock the doors and leave... 


» The Air Force will take out a three year lease with an option to 
buy... 


> NASA will form a committee to: conduct a study on how to word 
the Request For Proposal (RFP) & issue a contract to determine if 
the building is needed... 
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CRM —- Learning Points 


_) RIDM initializes CRM w/selected alternative and performance measures, 
constraints, thresholds, and requirements 

_] Step 1: IDENTIFY 
" Risk Statements 
" Risk Scenarios 

_] Step 2: ANALYZE 
® Likelihood 
= Consequence 
" Uncertainty 
= Timeframe 

LI Step 3: PLAN 

= Accept 

= Mitigate 

" Close 

" Watch 

" Research 

" Elevate 
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CRM — Learning Points 


_] Step 4: TRACK 
= Continuously acquire and compile observable data for mitigated and watched “risks.” 
= Periodically run the risk analysis models with current data 
= Periodically issue a Tracking Report 
_] Step 5: CONTROL 
" Re-plan (go back to CRM Step #3) 
" Close the “risk(s)” 
= Invoke a contingency 
= Continue tracking the “risk(s)” 
" Elevate 
_] Step 6: COMMUNICATE & DOCUMENT (throughout CRM) 
= Risk database (or list) 
= Reporting to the next higher organizational level 
= Cross-cutting “risks” 
= Elevation of risk decision-making 
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> Questions for Determining Risks and Escalating Risks: 


LI Trend: Does this issues or concern affect multiple 
organizations (horizontal/vertical)? 


L) Visibility: Does the mitigation require higher level decision 
maker(s) approval? 


L) Comfort Level: What is your comfort level in mitigating this 
risk? 

LIComfort Level: What Is your comfort level in accepting this 
risk? 


_] Resources: Do you require resources outside your 
authorization? 





LI Impact: Is there a potential impact other organizations 
(horizontal/vertical)? 







BRANCH 







DEPARTMENT 


DIRECTORATE 





>If Yes to one of the above : 


LI Risk must be escalated 








Note: This checklist can be utilized for Issues and 
Opportunities 
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¢ Most risks are below the surface; there are always indicators. 

¢ Understanding our decisions helps us manage the uncertainty and 
identify the risks. 

¢ RM process starts with understanding decisions and managing 
uncertainty from those decisions. 

¢ RM is a structured process that ensures consistency and increases 
credibility to include planning, tracking & controlling your risks. 

¢ Recognize that meeting objectives involves making decisions and 
decisions generate risks. 

¢ Risk Management Plans are required for formal projects, very useful on 
others. 

¢ Everyone Is involved in managing risks. 

¢ Make managing risks part of your job. 

¢ Documentation and communication are essential parts of managing risks. 

¢ Communicate your risks to all of your stakeholders. 

¢ Risks have been and always will be with us. 

¢ Understanding the program risks is just as important as understanding 

“how risky is the program”. 
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4 Continuous Risk Management (CRM): 


= Software Engineering Institute (SEI) — Carnegie Mellon hittp://www.sei.cmu.edu/risk/ 
" Office of Safety & Mission Assurance: 
° Risk Management Training Course (STEP Level IT): Course #SMA-Risk-OSMA-0016 








4 Risk Informed Decision Making (RIDM) 
"= NASA/SP-2010-576, Version 1.0 April 2010: NASA Risk-Informed Decision Making Handbook 


¢ http://www.hq.nasa.gov/office/codeq/doctree/NASA_SP2010576.pdf 
= Office of Safety & Mission Assurance: 


° Risk-Informed Decision Making Training Course (STEP Level II): Course #SMA-Risk-OSMA-0013 
° Enterprise Risk and Opportunity Management for Nonprofit Organizations and Research Institutions 


4 Risk & Opportunity Management : 
= Software Engineering Institute (SEI) — Carnegie Mellon http://www.sei.cmu.edu/risk/ 


SO 31000 Risk Management - The Free Dictionary - Wikipedia 
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